Bug busters wanted

What is not normal is not trying to find and fix those bugs. That’s why we at Kaspersky put a lot of effort into it. We eliminate most vulnerabilities in our products during several stages internal testing, and we have a very thorough beta-testing program that involves many people (including our devoted Kaspersky Club). We also implemented the secure development cycle. All of that helps us minimize the number of bugs and vulnerabilities.

However, no matter how thorough the preventive measures are, little buggies manage to sneak in — and no software product in the world can completely get rid of them at the preventive stage. That’s why we not only continue monitoring them intently after our releases, but also encourage independent researchers to discover and report them. This includes the creation of our bug bounty program together with HackerOne, which offers a reward of up to $100,000 for reporting bugs, and establishing a Safe Harbor for researchers with Disclose.io. We invite every researcher, using any channel of communication, to disclose any bugs or vulnerabilities they find to us.

So, today we thank Wladimir Palant, an independent security researcher, who informed us about several vulnerabilities in some of our products. Now we’re shedding light on the bugs Palant discovered, how we fixed them, and the current state of our products.

Found and fixed

To provide a secure Internet connection, including blocking ads and trackers and warning you about malicious search results, we use a browser extension. Of course, you may refuse to install this (or any) extension. Our app won’t leave you without protection on the Internet, so if it senses the extension isn’t installed, it injects scripts into the Web pages you visit to monitor them for potential threats. In such cases, a communication channel is established between the script and the body of the security solution.

The bulk of the vulnerabilities Palant discovered were in this communication channel. In theory, if an adversary attacked this channel, it could be used to command the main app. Palant discovered the issue affecting Kaspersky Internet Security 2019 back in December 2018, and he reported it to us through the bug bounty program. We started working on the issue immediately.

Another of Palant’s findings was a potential exploit using the communication channel between the browser extension and the product, for example to access important data such as a Kaspersky security solution’s product ID, product version, and operating system version. We fixed that as well.

Finally, Ronald Eikenberg of c’t magazine discovered a vulnerability that disclosed unique IDs to websites visited by users of Kaspersky products. We fixed it back in July, and by August it had reached all of our users. Palant later found another vulnerability of that sort, and it was fixed in November 2019.

Why use that technology?

Using scripts like those we describe above is not an uncommon practice in the antivirus world; however, not every vendor uses them. As for us, we use the script-injection technology only if you don’t enable our browser extension. We recommend using the extension. However, even if you decide not to use it, we still do our best to provide you with a good user experience and protection.

The scripts are used mainly to enhance user experience — for example, they help block banners — but in addition to that, they protect users against attacks with dynamic Web pages, which cannot otherwise be detected if the Kaspersky Protection extension is disabled. Also, components such as antiphishing and parental control rely on the scripts to work.

Thanks to Wladimir Palant, we were able to significantly enhance the protection of the communication channel between the scripts or the plugin and the main app.

Building it together

As of now, all discovered vulnerabilities have been closed, and the attack surface is significantly narrowed. Our products are safe whether you use them with or without the Kaspersky Protection browser extension.

We want to thank everyone who helps us find bugs in our products. It is partly due to their efforts our solutions continue to be the best, as proved by different independent test laboratories, and invite all security researchers to participate in our bug bounty program.

Nothing is absolutely secure. However, by working together with security researchers, fixing vulnerabilities as soon as possible, and constantly improving our technologies we can offer our users the strongest protection in existence against all possible threats.

Customers are so overwhelmed with all these choices that for most of them, price becomes the main — and sometimes the only — deciding factor. And that’s where smartphones from less-known manufacturers come in: They promise the same features and quality for half the price of what well-known brands offer. Understandably, it’s hard not to be attracted by these generous offerings.

You know what, though? It’s not that simple. Quite often, when you buy a smartphone like that, you also get some hidden extras — for example, some preinstalled malware. Here’s what’s going on.

Android’s big advantage is that it’s a very flexible mobile platform, which makes it popular among developers. Google develops the core software, but any manufacturer can customize it and fill a smartphone with its own native apps to make its products stand out.

Some of that native software is system apps — apps installed by the manufacturer in the /system/app or even the /system/priv-app (priv for “privileged”) folder in an Android device, that cannot be uninstalled by the user. All well and good, but when you add a profit motive, the picture gets a bit murky.

In theory, a manufacturer can fill the system/app (or /priv-app) folder with whatever it thinks customers might find useful. In practice, manufacturers use the opportunity to earn an extra buck, for example, by charging app developers to preinstall their apps. And sometimes, willingly or not, smartphone manufacturers fill the folder with malware.

Preloaded malware can show you ads you can’t avoid, or collect your personal data to sell to third parties — or combine the two intrusions, showing you ads based on that data. It all helps decrease the final price of the device. Nice business model!

A preloaded Trojan that allowed criminals to overlay ads over the OS was found on devices made by relatively big developers such as ZTE, Archos, Prestigio and myPhone. Another investigation found that OnePlus and BLU smartphones were preloaded with spying software that was collecting sensitive personal data and sending it to the manufacturers’ servers.

Funnily enough, most of the manufacturers we mentioned are listed as certified partners on the Android official website. That means that preinstalling malware is becoming something of a common practice, and you can’t simply rely on a well-known manufacturer’s honor.

To minimize the risk of purchasing an infected device, or at least to identify a device that will show you advertising in practically every app and collect your personal data without your permission after the purchase, we highly recommend the following:

• Do your research: Chances are, the phone you’re looking at has already been discussed on the Web — especially if owners are complaining about preinstalled malware.
• As is often the case, if something looks too good to be true, perhaps it is too good to be true. It may be wise to avoid smartphones that are radically less expensive than comparable models — it’s not unlikely that their manufacturers are using some shady practices to recoup the money that isn’t on the price tag.
• Check the certification status of your Android device to be sure that its firmware has been tested by Google. Certification doesn’t guarantee that there’s no malware preinstalled, but certified devices are significantly less likely to be infected before sale.
• Install a reliable antivirus utility that will inform and protect you the moment it encounters a malicious program. With malware sometimes installed before a buyer unboxes a new purchase, your smartphone can be infected no matter how safe your behavior.

However, as with any futuristic technology, care is called for when it comes to voice helpers. We’ve already posted about how these eerily Orwellian smart devices could potentially threaten privacy. Today we discuss a related technology: ads on voice helpers. What are they, and what could possibly go wrong? Read on.

About a year ago, the Google Home voice assistant was involved in an interesting story. A device owner used the My Day feature, but after hearing the expected a weather and traffic reports as well as news and to-do items, he was informed that Beauty and the Beast had opened in local movie theaters. Music from the new film played, followed by a prompt to learn more about it.

New Beauty & the Beast promo is one way Google could monetize Home. cc: @gsterling @dannysullivan pic.twitter.com/9UlukSocrO

— brysonmeunier (@brysonmeunier) March 16, 2017

A video of the device playing the ad quickly spread online. Surprisingly, a Google spokesperson denied that the audio snippet constituted advertising, issuing a rather strange statement: “This isn’t an ad; the beauty in the Assistant is that it invites our partners to be our guest and share their tales.” While people were scratching their heads over this Delphic pronouncement, Google quickly deleted the message from all Home devices.

It’s rumored that Google didn’t receive any money from Disney for the message, so it seems like it was all a bit of an experiment. Nevertheless, if voice helper ads are to happen, that’s how they would most likely look.

Earlier this year, it was reported that Amazon was in talks with several major companies, including retail giants Procter & Gamble and Clorox, about the placement of voice ads in response to directly relevant user queries.

In theory, from a sellers’ perspective, such ads are far juicier than the usual contextual advertising. For a start, it won’t feel like advertising, but rather like friendly advice to the user. What’s more, the user won’t scroll past it as in Facebook, but rather will listen to the dulcet tones of the electronic assistant all the way through.

And if one considers that Amazon Echos are flying off the shelves and into people’s living rooms, voice assistants do indeed represent an advertising revolution. For its part, Amazon has stated that it has no intention of adding ads to Alexa. At least for the time being…

From what we know of Amazon’s negotiations with potential advertisers, it seems that the technology behind voice advertising will resemble what is already used for contextual advertising in online search. This technology is based on processing big personal data and essentially selling it on to advertisers.

Google and Amazon are hardly rookies in this field; both are skilled harvesters of all sorts of info, and data collection technologies are advancing even more rapidly than new devices. At the same time, users have long suspected major companies of employing somewhat dubious technologies including voice processing and targeted advertising based on the data generated from it.

Many have complained that after mentioning something out loud and then going online, they saw a contextual ad for the very thing they were just talking about. Facebook and Google, the companies most often accused, deny doing so. Yet the technology turns out to be wholly implementable, and continuous eavesdropping does not drain a phone’s battery too much. On devices with a permanent power supply, that is even less of an issue.

The data that Google and Amazon collect about you, based on your online behavior, is already more than enough to show you relevant ads. Combine that with the smooth-tongued delivery of the voice assistant informing you that your favorite cookies (of the edible variety) are just around the corner, or a new store just opened nearby selling the perfect wine to complement the T-bone steak you plan on cooking this evening, and those ads become not only relevant, but also highly persuasive. What’s more, voice helpers are already capable of placing orders for their owners. Add the ability to eavesdrop and analyze what’s been heard, and the technology becomes downright creepy.

In our brave new reality, much of what we consume, we pay for with our personal data. Voice ads — personalized, trustworthy, relevant, and perhaps even useful — could be a real gold mine for the tech giants. But it’s not yet known how often we will hear such ads and to what extent they will dictate our consumer choices.

So the best line of defense at present is to be careful about what we hand over to data-munching technology, and what permissions we give.

Kaspersky Lab’s security solutions offer Web-tracking protection, limiting the amount of information tech Goliaths can harvest about you. To enable this feature, go to Kaspersky Internet Security‘s settings and turn on the Private Browsing component. As for voice assistants, you can:

• Turn off the microphone (Amazon Echo and Google Home have physical buttons for this), so as to limit the access to your data.
• Block purchases or password-protect them in your account settings, so at least you won’t unwittingly buy anything using voice commands.

In this post, we will try to answer at least some of these and other related queries. But let’s begin by looking at what HTTP and HTTPS in your browser’s address bar mean.

When an online visitor reads or enters data on a website, information is exchanged between their computer and the server on which the site is hosted. The process is governed by a data transfer protocol called HTTP (HyperText Transfer Protocol).

HTTP also has an extension called HTTPS (HyperText Transfer Protocol Secure). The secure version handles the transfer of information between client and server in encrypted form, meaning information exchanged between the client and server is available only to them, and not to third parties (for example, a Wi-Fi provider or administrator).

Data transmitted from the client to the server is in turn encrypted with its own cryptographic protocol. The first such protocol used for this purpose was SSL (Secure Sockets Layer). There were several versions of SSL protocol, all of which at some point ran into security troubles. A revamped and renamed version followed — TLS (Transport Layer Security), which is still in use today. The initials SSL stuck, however, and so the new version of the protocol is still usually called by the old name.

To employ encryption, a site must have a certificate, also called a digital signature, confirming that the encryption mechanism is trustworthy and conforms to the protocol. In addition to the letter S in HTTPS, another indicator that a site has such a certificate is a little green padlock (or a shield in some browsers) with the word Secure or the name of the company in the browser address bar. You can actually see what it looks like at the top of your browser window right now; all Kaspersky Lab websites use HTTPS.

There are two ways to obtain a certificate. A webmaster can issue and sign the certificate and generate cryptographic keys. Such certificates are called self-signed certificates. When attempting to access the site, users are shown a warning that the certificate is untrusted.

On such sites, the browser window displays a crossed-out padlock, a red shield, the words Not Secure, the letters HTTPS in red instead of green, or the letters HTTPS in the address bar crossed out and highlighted red — it varies by browser and even for different versions of the same browser.

The better way is to purchase a certificate signed by a trusted certificate authority (CA). CAs check the site owner’s documents and right to own the domain — after all, the presence of a certificate should indicate that the resource belongs to a legitimate company registered in a particular region.

Although quite a few CAs exist, you can count the number of blue-chip ones on your fingers. A CA’s reputation determines the extent to which browser developers trust it and how they display sites bearing its certificates. The price of a certificate depends its type and duration of validity, as well as the reputation of the CA.

Certificates signed by CAs come in different flavors, varying by their trustworthiness, who can receive them and how, and price.

To obtain a Domain Validation certificate, an individual or legal entity must prove that they either own the domain in question or administer their site on it. This certificate enables a secure connection to be established but does not contain information about the organization to which it belongs, and no documents are required to issue it. Getting such a certificate rarely takes longer than a few minutes.

Higher-level versions are known as Organization Validation certificates, which confirm not only that the connection to the domain is secure, but that the domain actually belongs to the organization specified in the certificate. Checking all of the documentation and then issuing a certificate can take several days. If a site has a DV or OV certificate, the browser displays a gray or green padlock with the word Secure and the letters HTTPS in the address bar.

Finally, we have top-level Extended Validation certificates. As with the OV type, only legal entities that have provided all necessary documents can obtain certificates of this sort, and they cause organizations’ name and location to appear in green, next to a green padlock, in the address bar.

EV certificates are the most trusted by browsers, and they are also the most expensive. Again, depending on the browser, information about the certificate (who issued it, when, its validity period) can be viewed by clicking on the organization name or the word Secure.

Online security and user data protection are key principles that major browser developers such as Google and Mozilla factor into their policies. For example, in the fall of 2017 Google announced that henceforth it would name and shame all pages using an HTTP connection by marking them “Not Secure” and essentially obstructing users’ access to such pages.

Google’s move effectively forced HTTP sites to purchase a trusted certificate. Accordingly, demand for CA services shot up, prompting many authorities to speed up the document-checking stage, which had a negative effect on quality control.

The net result is that nowadays, trusted certificates may be issued to websites that aren’t totally reliable. A Google study revealed that one of the largest and most reputable CAs had issued more than 30,000 certificates without performing due diligence. Consequences were dire for the CA in question: Google stated that it would stop trusting all of its certificates pending the complete overhaul of its verification system and the introduction of new standards. Mozilla also plans to toughen certificate verification in its browsers.

Despite the responses, it is still not possible to be totally sure that a certificate and its owner are bona fide. Even in the case of an EV certificate that outwardly meets all security requirements, the green font cannot be trusted unconditionally.

The situation with EV certificates is lamentable. Phishers can, for example, register a firm under a name suspiciously similar to that of a well-known company and obtain an EV certificate for the site. The familiar-sounding company name will appear in green in the address bar of the phishing website, adding credibility. Therefore, when using any Web page, users must always stay vigilant and follow these guidelines.

We at Kaspersky Lab led some research to try to find that out, and you know what? There are some really interesting points you may never have thought about before. Want to know exactly how your gadgets and online life affect your relationship and how you compare with the rest of the world? Take our quiz and find out! Each question describes a potential situation that a couple can face, and you just need to answer whether it is true about your relationship or not. Let’s go!

Ingo Dachwitz, editor of German digital rights and Internet privacy portal Netzpolitik.org, talked about the regulation — what it’s about, how it can change the Internet, and why most representatives of the Internet industry think that its consequences may be disastrous.

A brief history of personal data protection regulation in Europe

You may already know about ePrivacy Regulation, or at least have heard of it. Public consultation was conducted in the EU, and it’s already been discussed in many of the European media. Here we summarize how the story of ePrivacy in Europe began.

The Internet started growing rapidly in the 1990s, and with it, the volume of user data has grown as well. Companies developed new ways to acquire and process that data, which became a valuable commodity. The more user data a company has, and the more effectively it analyzes the data, the more accurately that company can target consumers, selling products by showing users ads based on the data the users generate.

The European Commission began to pay special attention to everything concerning this sphere and how and by whom the data was used. The situation clearly required legal regulation on a higher level than had existed before. The first act on personal data protection was the Data Protection Directive. Its definition of personal data was somewhat vague, so 21 years later, in April 2016, it was replaced by General Data Protection Regulation (GDPR).

The regulation aims to strictly define and categorize personal data, as well as to unify and strengthen the rules of protection of EU citizens’ data — be it genetic, intellectual, cultural, economic, or social information. Examples include IP addresses, customer names, phones, supplier records, staff records, and much more.

Defining the new ePrivacy Regulation

And then came ePrivacy Regulation, which takes effect in May 2018 and adds regulation to the GDPR. Its precepts are largely similar to those of the GDPR; the main difference is that the ePrivacy Regulation divides personal data into two huge parts: content data (text messages, pictures, languages used, etc.) and metadata — “data about the data,” the information about the content files. For example, for Web pages, metadata include keywords, cookies, fingerprint files, and so forth. Metadata is hugely important for anyone who wants to define somebody on the Net, track them, and analyze their behavior.

Though this slide is from another talk at Chaos Communication Congress it explains how important metadata is nowadays

ePrivacy Regulation’s guiding principle regarding all types of user data on the Net is: “Privacy by default.” That means:

• Data may be collected only with a user’s active consent, and it must be be erased or anonymized when no longer needed for a communication (Article 6).
• All forms of online tracking must be strictly controlled, beginning with users being asked directly if they want to be tracked. Tracking by default (without asking the user’s permission) and tracking walls (which block access to website content unless users agree to being tracked) are forbidden (Articles 7,8,9).
• Offline tracking (over Bluetooth or Wi-Fi) may be used only for statistical purposes — or after obtaining explicit consent from a user (Article 8).
• Providers of communication services shall secure users’ data by using end-to-end encryption, and a user’s data can be deciphered only by that user (Article 17).
• Communication service providers may not prohibit the use of any means of user protection from tracking or targeting (e.g., ad-blockers) (Article 17).

The battlefield

Since the Regulation’s proposal in January 2017, European society has engaged in great debates about it. Europe’s largest media as well as representatives of Internet businesses have expressed the common point of view that the Regulation is not only not helpful for users, but also user-unfriendly and nonproductive.

Industry lobbyists on ePrivacy in the EU, such as the Interactive Advertising Bureau (IAB), DigitalEurope, the European Association of Communications Agencies (EACA), the European Magazine Media Association (EMMA), and more (members of these organizations include such companies as Amazon, Facebook, Google, Apple, Microsoft; the largest European digital, advertising, and PR agencies; and media companies), started an Internet campaign against the regulation. It is called “Like a Bad Movie,” and it imagines a world with ePrivacy Regulation in effect. They claim that the regulation’s approval will hurt users and the Internet as a whole. Its claims:

• Limiting data-driven ad revenue will reduce the amount of high-quality journalism, leading to fewer quality information sources and less diversity of opinion on the Internet;
• The business models of useful apps that live on data-driven ad revenue will fall apart;
• The Regulation will confuse consumers more than help them, forcing them to manage privacy settings on every single device, in every browser, and on every website;
• Much less free content will be available because sites won’t be able to make money from data-driven ads.

The lobbyists’ overarching point is that the Regulation threatens data-driven business models, and so the lobby is fighting it hard. Of the 41 lobby meetings on ePrivacy held with EU Commissioners in 2016, 36 were with corporate interests. As a result, the final proposal of the regulation — what we have now — is already missing some things that were in the draft. For example, its definition of metadata is vague, and the proposal to ensure default e-privacy settings on computer equipment was excluded.

The battle continues. Amendments to the regulation made by the European Parliament on October 23, 2017, tighten the rules constraining industry representatives. The lobbyists haven’t surrendered, though; there’s still time for new amendments to change the document completely.

This is all we know so far, and we’ll keep our eye on how the whole thing goes. We highly recommend you do the same. The regulation’s global impact is going to be enormous, as the Internet finds it may have to move away from being funded by user data. That makes the regulation, if it’s adopted, one of the most important upcoming events of the year — it will definitely mean more to the global economy than the FIFA World Cup.

Over the past six months, cybercriminals have raked in more than $7 million through injecting cryptominers. Here we explain how miners work on users’ computers, why they’ve become a major cyberthreat (especially for businesses), and how to protect your infrastructure against them.

The rise of the miners

In 2017, when the Bitcoin and altcoin (alternative cryptocurrencies) exchange rates hit the stratosphere, it became clear that owning tokens (which can be converted into real money) is a lucrative business. An especially attractive feature of cryptocurrency economics is that, unlike with real money, anyone can create digital currency by building on the blockchain by performing mathematical calculations and getting rewarded for it (see here for details of how the blockchain works).

A general rule of mining pools (organizations that unite miners) is that the more calculations you make, the more tokens you receive. The only problem is that the more calculations you want to perform, the more computing power you need — and the more electricity you’ll consume.

So it wasn’t long before cybercriminals hit upon the idea of using other people’s computers to mine cryptocurrency — after all, it’s in their DNA to exploit Internet technologies to make a fast buck. Ideally, of course, it’s done so that victims’ computers perform the calculations without the knowledge of their owners or administrators. For obvious reasons, cybercriminals are particularly fond of large corporate networks with hundreds of machines.

And they are getting very adept at putting their schemes into practice. As we speak, more than 2.7 million users worldwide have been attacked by “malicious miners” — that’s 1.5 times more than in 2016 — and the number continues to climb. Let’s talk a bit more about what technologies the attackers use.

A hidden threat

The first method bears all the hallmarks of technologies used to carry out advanced persistent threats (APT), which have been featured heavily in recent large-scale ransomware campaigns. These same methods — for example, attacks using the infamous EternalBlue exploit — are now being used to distribute hidden miners.

Another way to install a hidden miner on a victim’s computer is to convince the user to download a dropper, which then downloads a miner. Typically, cybercriminals lure users into downloading a dropper by masking it as an ad or a free version of a product, or through some phishing technique.

After being downloaded, the dropper runs on the computer and installs the actual miner along with a special utility that hides the miner in the system. The package can include autostart and autoconfig tools that might, for example, configure how much processing power the miner is allowed to use depending on what other programs are running, so as not to cause system slowdown and arouse the user’s suspicion.

These tools might also prevent the user from stopping the miner. If the user detects the miner and tries to disable it, the computer will simply reboot, after which the miner will continue as before. Interestingly, most hidden miners reuse the code of their legit counterparts, which further complicates detection.

There is another way to mine tokens illegally: Web mining, or mining from the browser. This is made possible by a site administrator embedding a mining script that runs in the browser when a victim visits the site. It can also be done by an attacker who has gained site administration access. While the user is on the site, their computer builds blocks (from which the criminal behind the script profits).

How can businesses protect devices from miners?

Today’s sophisticated attack technologies and complexities of detection have enabled cybercriminals to create entire botnets from victims’ computers and use them for hidden mining. Needless to say, a business infrastructure with large processing capacity is a juicy target for cybercrooks. Your company’s devices might be at risk as well. Therefore, we recommend implementing the following measures to protect your business:

• Install security solutions on all computers and servers in use to keep your infrastructure an attack-free zone;
• Carry out regular security audits of your corporate network for anomalies;
• Keep a periodic eye on the Task Scheduler, which can be used by intruders to start malicious processes;
• Don’t overlook less obvious targets, such as queue management systems, POS terminals, and even vending machines. As the miner that relied on the EternalBlue exploit shows, such equipment can also be hijacked to mine cryptocurrency;
• Use specialized devices in Default Deny mode — this will protect them from miners and many other threats, too. For example, Default Deny mode can be configured using Kaspersky Endpoint Security for Business.

We invite you to take our quiz (no googling, please), and find out what you know about cryptocurrencies. Can you distinguish real cryptocurrencies from popular online memes?
Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

We’re about to let you in on a little secret: Those “Secure” symbols don’t guarantee a website is safe from all threats. A phishing site, for example, can legitimately display that comforting green lock next to its https address. So, what’s going on? Let’s find out.

A secure connection does not mean a secure site

The green lock means that the site has been issued a certificate and that a pair of cryptographic keys has been generated for it. Such sites encrypt information transmitted between you and the site. In this case, the page URLs begin with HTTPS, with the last “S” standing for “Secure.”

Sure, encrypting transmitted data is a good thing. It means that information exchanged between your browser and the site is not accessible to third parties—ISPs, network administrators, intruders, and so on. It lets you enter passwords or credit card details without worrying about prying eyes.

But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.

Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.

Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 percent). Moreover, more than 80 percent of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.

What if the lock isn’t green?

If the address bar shows no lock at all, that means the website does not use encryption, exchanging information with your browser using standard HTTP. Google Chrome has started tagging such websites as insecure. They might in fact be squeaky clean, but they don’t encrypt traffic between you and the server. Most website owners don’t want Google to label their websites as unsafe, so more and more are migrating to HTTPS. In any case, entering sensitive data on an HTTP site is a bad idea — anyone can spy on it.

The second variant you might see is a lock icon crisscrossed with red lines and the HTTPS letters marked in red. That means the website has a certificate, but the certificate is unverified or out of date. That is, the connection between you and the server is encrypted, but no one can guarantee that the domain really belongs to the company indicated on the site. This is the most suspicious scenario; usually such certificates are used for test purposes only.

Alternatively, if the certificate has expired and the owner has not gotten around to renewing it, browsers will tag the page as unsafe, but more visibly, by displaying a red lock warning. In either case, take the red as the warning it is and avoid those sites — never mind entering any personal data on them.

How not to fall for the bait

To sum up, the presence of a certificate and the green lock means only that the data transmitted between you and the site is encrypted, and that the certificate was issued by a trusted certificate authority. But it doesn’t prevent an HTTPS site from being malicious, a fact that is most skillfully manipulated by phishing scammers.

So always be alert, no matter how safe the site seems at first glance.

• Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of its authenticity. To do so, always check the domain name — and very carefully; the name of a fake site might differ by only one character. And ensure links are reliable before clicking.
• Always consider what a particular site is offering, whether it looks suspicious, and whether you really need to register on it.
• Make sure your devices are well protected: Kaspersky Internet Security checks URLs against an extensive database of phishing sites, and it detects scams regardless of how “safe” the resource looks.

But, as usually happens with a rapidly developing economic opportunity, manufacturers are jumping into the competition, trying to get as big a piece of the market as they can, and not thinking too hard about what happens next. Of course, we’re talking about security. Not safety, in this case — an electric charger is unlikely to injure you — but cybersecurity. Existing implementations of the basic concept — paying and charging — aren’t very concerned about the sanctity of your personal data and money. Mathias Dalheimer raised this issue at the thirty-fourth Chaos Communication Congress, in his talk about the vulnerabilities of the electric car infrastructure.

How the charging actually works

As the number of electric cars grows, so does the number of charging stations, where station providers receive money in exchange for providing energy. For those transactions, they need a built-in billing system. Before you can start charging your car, you need to identify yourself using your charging ID token, a special near-field-communication (NFC) card that is associated with your account.

The billing for electro mobility is normally carried out using the Open Charge Point Protocol, which regulates communications between billing management systems on one end and the electric charging point on the other end. The charging point sends a request identifying you to the billing system; billing management approves the request and lets the charging point know; and the station lets you start charging. Afterwards, the amount of electricity is calculated and sent back to the billing management system so that it can bill you at the end of the month.

Nothing surprising or even really new there, right? Well, let’s take a closer look and see where the problems begin.

Problems, problems everywhere

Dalheimer probed different components of the system and found that all of them had some problems with security. The first is the ID tokens. They are made by third-party providers and — surprise! — most of them do not secure your data. They are very simple NFC cards that do not encrypt your ID or anything else they contain. The cards’ problems continue. First, they’re pretty easy to program, which Mathias demonstrated by copying his own card and successfully charging with the copy. It would be easy for a knowledgeable person to program a bunch of cards, hoping to hit on a working account number. (Mathias didn’t try that, citing ethical reasons.)

Because charging providers bill once per month, if a car owner’s account is compromised in that way, they won’t see that anything is amiss until the monthly bill arrives.

Another shady thing about the procedure: Most stations use the 2012 version of the OCPP protocol, which is already relatively old and is based on HTTP. (We all know what’s wrong with HTTP, which uses no encryption for transactions.) Mathias demonstrated how easy it is to set up a man-in-the-middle attack by relaying the transaction.

Moreover, both stations that Mathias examined had USB ports. Plug in an empty flash drive – and logs and configuration data will be copied to the drive. From this data, it’s easy to get the login and the password for the OCPP server and, for good measure, the token numbers of previous users — which, remember, is all you need to imitate them.

Even worse, if the data on the drive is modified and then the USB drive is inserted back into the charging point, the charging point will automatically update from it and consider the data on the drive its new configuration. And that opens a whole lot of new possibilities to the hackers.

To sum up, criminals can: collect ID card numbers, imitate them and use them for transactions (for which the real account holders will have to pay); rewire charging requests, basically disabling the charging point; gain root access to the station and then do whatever they like. All because providers chose not to care about security.